By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

1. ESXi firewall

With ESX Server being discontinued with VMware vSphere 5, VMware took action to ensure that ESXi has all the security capabilities needed to fulfill its role as the company’s sole hypervisor. One of the features VMware admins were used to in ESX was the stateful Linux-based iptables firewall.

With VMware vSphere 5, the company added a firewall to ESXi. This firewall is a service-based firewall, tied to the specific applications you start on a host. Unlike most firewalls, it’s a stateless firewall that only protects the VMkernel interface (not the virtual machine network).

3. Logging improvements

The three cornerstones of vSphere security are authentication, authorization and accounting. Of course, accounting (also called logging) provides an accurate log of who does what and when. VMware vSphere 5 includes a number of improvements to its accounting capabilities.

VMware vSphere 5 includes more options for centralized logging and data collection in the event of a server crash. Built into the new vCenter Server Appliance (vCSA) as well as the Windows version of vCenter 5 are options to easily enable centralized syslog and dump collection capabilities. You simply turn these options on from the vCSA Web interface (Figure 1).

Figure 1Here is where to choose the logging options in the vCSA. (Click image for an enlarged view.)

You can no longer use the vSphere Management Assistant for ESXi log collection; you have to use the standard syslog mechanisms. If you have a syslog infrastructure already (to log things such as router and switch events), adding ESXi hosts to that system is a great option. (In other words, you don’t have to use the vCSA if you don’t want to.) The vCenter for Windows installation media contains the option to install the syslog server and dump collector.

4. Auto Deploy and Host Profile enhancements

For shops that need to roll out ESXi hosts en masse, VMware vSphere 5 offers a great new way to ensure host security in the process. The new Auto Deploy feature uses PXE booting to boot servers and install ESXi 5. Once installed, those servers are configured using Host Profiles (which have also been enhanced in vSphere 5).

Host Profiles improve vSphere security by ensuring that all ESXi servers in the infrastructure are configured the same way. For instance, you can ensure that SSH is disabled on all hosts or that a certain port is open on the firewall. You could also use Host Profiles to configure the network time protocol and syslog logging on all ESXi hosts.

5. Root password during interactive installation

I know it isn’t really a vSphere 5 security “feature,” but one of the first things I noticed when I went to install ESXi 5 is that I was prompted for a root password before the installation started. With ESXi 4.1, the installation would complete and the root account would have a blank password. Most admins would go in and immediately change it, but it’s easy to forget, and having a host with a blank password is a major vSphere security concern.

Bonus: Host image profile acceptance levels

Most of the notorious Windows “blue screen of death” issues are caused by third-party drivers installed in the OS. The same “purple screen of death” can appear with vSphere if you have driver issues. To prevent these problems and boost vSphere security, VMware has created the host image profile acceptance level in VMware vSphere 5. This feature allows you to specify acceptable sources of ESXi drivers.

For instance, you could configure it to only accept drivers from VMware or VMware partners who certified their drivers. This improves vSphere security by ensuring that your servers don’t contain malicious drivers from unknown sources. If an attacker can compromise the ESXi hypervisor, they may be able to compromise the virtual machines and application data.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy